[lug] iptables
j davis
davis_compz at hotmail.com
Wed Mar 27 21:31:19 MST 2002
cool!!thanks alot...i have always used the nat table to block cause my
firewalls
are generally doing nat ...any way...so, if i had a firewall doing nat and
port forwarding i would wright rules in the nat tables to protect my clients
using private adds and wright rules in the forward and input chain to secure
the firewall itself?
and if the box is a standalone firewall, just filtering request for itself,
just put rules in forward and input?
one last question...i use snort to iptables to monitor the ports i open to
the world...if snort makes a alert snort2iptables wrights a rule in
prerouting to drop traffic from the ip creating alerts..however request for
ports that are world accseable hit the prerouting table first when coming
from the internet they are then met with a rule to port forward to another
box...so they are forwaded before
they hit the rule that snort2iptables has written. so...ip makes alert,
snort2iptables wright rule in prerouting, same ip connects to service again
cause
it never makes it past the rule that forwards to another box, can i stop
this?
thanks
jd
>From: Rob Nagler <nagler at bivio.biz>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] iptables
>Date: Wed, 27 Mar 2002 18:00:53 -0700
>
> > iptables -t nat -A PREROUTING -p tcp --dport 6000:7000 -j DROP
>
>I wouldn't use the nat table. You probably want to stick to the
>INPUT, OUTPUT, and FORWARD tables for filtering. This protects the
>box itself, which I don't believe nat does.
>
>You probably want something like:
>
>iptables -A INPUT -i eth0 -p tcp -m state --state NEW \
> --destination-port 6000:7000 -j DROP
>
>I like to log everything (almost :), so you might want something:
>
>iptables -A INPUT -i eth0 -p tcp -m state --state NEW \
> --destination-port 6000:7000 -j LOG --log-prefix 'INPUT invalid: '
>
>If you want to block forwarding X, just replace INPUT with FORWARD.
>
>There's more to iptables than blocking X11. In general, you want to
>block everything coming in unless you specifically allow it.
>
>I recommend the following page:
>
>http://www.cs.princeton.edu/~jns/security/iptables/
>
>I attached the Perl program we use to configure iptables. I also
>modified rc.d/init.d/iptables to not save counters. This allows us to
>diff more easily. The script tries to recover if the new config is
>bogus. The script looks for the custom configuration in
>/etc/sysconfig/iptables-local.PL. It doesn't need to be there, but it
>if it is, it allows the local host to provide more services,
>e.g. samba. You can see what it does by typing:
>perl -w iptables.PL -n
>
>Rob
>----------------------------------------------------------------
>#!/usr/bin/perl -w
># $Id: iptables.PL,v 1.2 2002/03/23 04:47:06 nagler Exp $
>use strict;
>
>=head1 NAME
>
>iptables.PL - initialize iptables using configuration
>
>=head1 SYNOPSIS
>
> perl -w iptables.PL [-verbose] [-noexecute]
>
>=head1 DESCRIPTION
>
>C<iptables.PL> initializes iptables. You run this once
>and then use C<iptables-save>.
>
>I got some of this from:
>http://www.cs.princeton.edu/~jns/security/iptables/
>
>We should have an error trap on this. You should not debug this script
>when you don't have access to computer locally.
>
>=head1 CONFIGURATION
>
>Configuration is a hash in F</etc/sysconfig/iptables-local.PL> (need not be
>present) with the following boolean attributes:
>
>=over 4
>
>=item http
>
>Allow incoming http and https from anywhere.
>
>=item local_pop
>
>Allow incoming pop3 and pop3s on local net only.
>
>=item pop
>
>Allow incoming pop3 and pop3s from anywhere.
>
>=item samba
>
>Allow incoming samba on local net only.
>
>=item http
>
>Allow incoming smtp from anywhere.
>
>=back
>
>=back
>
>=cut
>
>#=IMPORTS
>
>#=VARIABLES
>my($_VERBOSE) = grep($_ =~ /^-(v|verbose)$/, @ARGV);
>my($_NO_EXECUTE) = grep($_ =~ /^-(n|noexecute)$/, @ARGV) && ($_VERBOSE =
>1);
>my($_CFG) = do('/etc/sysconfig/iptables-local.PL') || {};
>my($_LOCAL_NET) = _local_net();
>_main();
>
>#=PRIVATE METHODS
>
># _basic_filter(string chain, string dir, array accept_interfaces)
>#
># accept_interfaces are not filtered. On the rest of the interfaces,
># allow established,related and drop invalid.
>#
>sub _basic_filter {
> my($chain, $dir, @accept_interfaces) = @_;
> foreach my $ifc (@accept_interfaces) {
> _do("-A $chain $dir $ifc -j ACCEPT");
> }
>
> # Basic protection
> _do("-A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT");
> _stop_and_log($chain, '-m state --state INVALID', 'DROP', 'invalid');
> return;
>}
>
># _cfg_forward()
>#
># Forward filter is completely closed.
>#
>sub _cfg_forward {
> _basic_filter('FORWARD', '-i', 'lo');
> _stop_and_log('FORWARD', '', '', 'default');
> return;
>}
>
># _cfg_input()
>#
># INPUT filter
>#
>sub _cfg_input {
> # lo is a safe interface. We accept anything from it.
> _basic_filter('INPUT', '-i', 'lo');
> _cfg_input_tcp();
> _cfg_input_udp();
> _cfg_input_eth0('-p icmp -j ACCEPT');
> _stop_and_log('INPUT', '', '', 'default');
> return;
>}
>
># _cfg_input_eth0(string args)
>#
># shorthand for input -i eth0 commands.
>#
>sub _cfg_input_eth0 {
> my($args) = @_;
> _do("-A INPUT -i eth0 $args");
> return;
>}
>
># _cfg_input_tcp()
>#
># Input TCP ports
>#
>sub _cfg_input_tcp {
> my($ports) = '';
> $ports .= ',http,https' if $_CFG->{http};
> $ports .= ',smtp' if $_CFG->{smtp};
> $ports .= ',pop3,pop3s' if $_CFG->{pop};
> _cfg_input_eth0('-p tcp -m state --state NEW -m multiport'
> . ' --destination-port ssh'.$ports
> . ' -j ACCEPT');
> _cfg_input_eth0('-p tcp -m state --state NEW --destination-port
>8000:8999'
> . ' -j ACCEPT');
> $ports = '';
> $ports .= 'netbios-ns,netbios-dgm,netbios-ssn,' if $_CFG->{samba};
> $ports .= 'pop3,pop3s,' if $_CFG->{local_pop};
> chop($ports);
> _cfg_input_eth0('-p tcp -m state --state NEW -m multiport'
> . " -s $_LOCAL_NET -d $_LOCAL_NET --destination-port"
> . ' -j ACCEPT')
> if $ports;
>
> # Reject ident probes with a tcp reset. Somef servers won't do well
>if you
> # don't do this.
> _cfg_input_eth0('-p tcp --dport auth -j REJECT --reject-with
>tcp-reset');
>
> # LOG port scans
> _stop_and_log('INPUT',
> '-p tcp --tcp-flags SYN,ACK,RST ACK -m state --state NEW',
> 'REJECT --reject-with tcp-reset',
> 'ACK scan');
>
> # We'll see this with trace route
> _stop_and_log('INPUT',
> '-p tcp ! --syn -m state --state NEW',
> 'DROP',
> 'scan');
> _stop_and_log('INPUT',
> '-p tcp --tcp-option 64',
> 'DROP',
> 'tcpopt 64');
> _stop_and_log('INPUT',
> '-p tcp --tcp-option 128',
> 'DROP',
> 'tcpopt 128');
> return;
>}
>
># _cfg_input_udp()
>#
># INPUT UDP configuration
>#
>sub _cfg_input_udp {
> _cfg_input_eth0('-p udp --source-port domain -m state'
> . ' --state ESTABLISHED -j ACCEPT');
> _cfg_input_eth0('-p udp --source-port ntp -m state'
> . ' --state ESTABLISHED -j ACCEPT');
> _cfg_input_eth0('-p udp -m multiport --port bootpc,bootps -j
>ACCEPT');
> _cfg_input_eth0('-p udp -m multiport'
> . " -s $_LOCAL_NET -d $_LOCAL_NET --destination-port"
> . ' netbios-ns,netbios-dgm,netbios-ssn'
> . ' -j ACCEPT')
> if $_CFG->{samba};
> # Ignore route packets
> _do('-A INPUT -p udp --dport route -j DROP');
> return;
>}
>
># _cfg_output()
>#
># Output filter is wide open for now.
>#
>sub _cfg_output {
> _basic_filter('OUTPUT', '-o', 'lo', 'eth0');
> _stop_and_log('OUTPUT', '', '', 'default');
> return;
>}
>
># _do(string cmd)
>#
># Dies if system($cmd) doesn't work. Inserts iptables in prefix if $cmd
># begins with '-'. Observes noexecute and verbose flags.
>#
>sub _do {
> my($cmd) = @_;
> $cmd = 'iptables '.$cmd if $cmd =~ /^-/;
> print($cmd, "\n") if $_VERBOSE;
> return if $_NO_EXECUTE;
> system($cmd) == 0 || die("$cmd FAILED");
> return;
>}
>
># _init_modules()
>#
># Loade modules needed by iptables
>#
>sub _init_modules {
> foreach my $mod (qw(
> ip_tables
> iptable_nat
> ip_conntrack
> ip_conntrack_ftp
> ip_conntrack_irc
> iptable_filter
> iptable_mangle
> ipt_LOG
> ipt_REJECT
> ipt_state)) {
> _do("modprobe $mod");
> }
> return;
>}
>
># _init_tables()
>#
># initializes the policies.
>#
>sub _init_tables {
> #
> # POLICY (before flush): DROP
> #
> _do('-P INPUT DROP');
> _do('-P OUTPUT DROP');
> _do('-P FORWARD DROP');
>
> #
> # FLUSH
> #
> _do('-F');
> # _do('-F -t nat');
> # _do('-F -t mangle');
> _do('-X');
> _do('-Z');
>
> #
> # POLICY (after flush): DROP
> #
> _do('-P INPUT DROP');
> _do('-P OUTPUT DROP');
> _do('-P FORWARD DROP');
> return;
>}
>
># _local_net() : string
>#
># Determine the local network and mask
>#
>sub _local_net {
> foreach my $line (split(/\n/, `netstat -r`)) {
> return "$1/$2\n"
> if $line =~ /^((?:\d+\.){3}\d+)\s*\S*\s*(255.255.255.\d+)/;
> }
> die('unable to determine local network');
> # DOES NOT RETURN
>}
>
># _main()
>#
># Initializes then executes configurations
>#
>sub _main {
> my(@ARGV) = @_;
> unless (_yes(10, 'Reconfigure iptables?')) {
> print("\nNOT CONFIGURING\n");
> return;
> }
> my($save) = '/etc/sysconfig/iptables';
> _do('/etc/rc.d/init.d/iptables save') unless -f $save;
> my($old) = "$save.rpmsave";
> _do("cp -pf $save $old");
> eval {
> _init_modules();
> _init_tables();
> _cfg_input();
> _cfg_output();
> _cfg_forward();
> # minimize counter differences in diff
> _do('-Z');
> _do('/etc/rc.d/init.d/iptables save');
> print(grep(s/^([<>] )\[\d+:\d+] /$1/, `diff $old $save`));
> # Give more time to review changes
> die("not OK\n") unless _yes(30, 'Reconfiguration OK?')
> };
> return unless $@;
> print(STDERR $@, "RESTORING OLD CONFIGURATION\n");
> # If the copy fails, we have to blow up
> _do("cp -pf $old $save");
> _do('/etc/rc.d/init.d/iptables restart');
> return;
>}
>
># _stop_and_log(string chain, string rule, string jump string log_prefix) :
>#
># Log the rule on chain with prefix and rewrite rule if jump is not
># empty.
>#
>sub _stop_and_log {
> my($chain, $rule, $jump, $log_prefix) = @_;
> _do("-A $chain $rule -m limit --limit 2/m --limit-burst 1"
> . " -j LOG --log-prefix '$chain $log_prefix: '");
> _do("-A $chain $rule -j $jump") if $jump;
> return;
>}
>
># _yes(int timeout, string prompt) : boolean
>#
># Returns true if ok to proceed. Times out if no answer in 15 seconds.
>#
>sub _yes {
> my($timeout, $prompt) = @_;
> print($prompt, " You have $timeout seconds to enter y[es]: ");
> my($answer);
> eval {
> local($SIG{ALRM}) = sub { die("alarm\n"); };
> alarm($timeout);
> $answer = <STDIN>;
> alarm(0);
> };
> return 0 unless $answer;
> chomp($answer);
> $answer =~ s/^\s+|\s+$//g;
> return $answer =~ /^(y|yes)$/ ? 1 : 0;
>}
>
>=head1 VERSION
>
>$Id: iptables.PL,v 1.2 2002/03/23 04:47:06 nagler Exp $
>
>=cut
>
>=comment
>
>#
># SNAT
>#
># Make everything going out eth0 look like it is going out correct IP addr
># iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 204.188.99.210
>
>#
># DNAT
>#
># Make incoming port 80 map to bivio.com (testing)
># iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 \
># -j DNAT --to 10.1.1.128
>
>#
># INPUT (destined for this box)
>#
>
>
>stop_and_log INPUT '' '' default
>
>#
># OUTPUT (locally generated packets)
>#
># Allow anything from this box out to eth0 and lo. Our servers are
>friendly.
>
>
>## Outgoing UDP
>#iptables -A OUTPUT -o eth0 -p udp -m multiport \
># --destination-port domain,ntp -j ACCEPT
>## traceroute uses lots of different ports
>#iptables -A OUTPUT -o eth0 -p udp \
># --destination-port 33435:33500 -j ACCEPT
>## Outgoing TCP
>#iptables -A OUTPUT -o eth0 -p tcp -m multiport \
># --destination-port $TCP_SERVICES,ntp,smtp,auth -j ACCEPT
>#
>## Outgoing ICMP
>#iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
>
># log unwanted attempts, not flooding the logfile
>
>#
># FORWARD (passing through box)
>#
>#basic_filter FORWARD -i lo
>
># # Outgoing TCP
># iptables -A FORWARD -i eth1 -p tcp -m multiport \
># --destination-port $TCP_SERVICES -j ACCEPT
>
># Outgoing TCP on invalid ports, we reject
># stop_and_log FORWARD \
># '-i eth1' \
># 'REJECT --reject-with icmp-proto-unreachable' \
># 'internal proto'
>
># # Outgoing ICMP
># iptables -A FORWARD -i ! eth0 -p icmp -j ACCEPT
>
># log unwanted attempts, not flooding the logfile
># stop_and_log FORWARD '' '' default
>
>=cut
>
>
>_______________________________________________
>Web Page: http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
More information about the LUG
mailing list